Savva Pistolas is speaking at Global Offshore Wind 2026 this week in Manchester under the theme ‘Securing the future.’ Offshore wind developers sit at the centre of supply chains with some of the most acute cyber exposure in UK infrastructure.
To coincide with GOW26, Turtledove Cyber is publishing a new white paper on UK supply chain cyber security: The Wagon Wheel Model: Repositioning the UK Prime Contractor as Supply Chain Cyber Steward. It sets out why the dominant approach produces documentation rather than resilience, and what prime contractors can do instead.
The Problem Is Getting Worse
The DSIT Cyber Security Breaches Survey 2025/26 found that third party involvement in breaches doubled to approximately 30 per cent in the most recent reporting period. The NCSC Annual Review 2025 recorded 204 nationally significant cyber incidents between September 2024 and August 2025, a 130 per cent increase on the prior year.
The August 2025 ransomware attack on Jaguar Land Rover caused an estimated £1.9 billion in economic damage and disrupted 104,000 UK workers within days. The following month, a compromise of Collins Aerospace’s passenger processing software cascaded across Heathrow, Brussels, and Berlin airports simultaneously. In both cases, the supply chain was the entry point.
Only 14 per cent of UK firms are managing the potential risks posed by their immediate suppliers, a figure Cyber Security Minister Liz Lloyd cited in the foreword to the NCSC’s own Cyber Essentials Supply Chain Playbook.
What the White Paper Argues
The conventional framing casts the prime contractor as a victim of its own extended attack surface. The threat comes from the SME supplier; the prime’s job is to contain it through contract terms. The white paper argues this misidentifies where power sits.
Prime contractors hold three structural advantages that no individual SME supplier possesses: visibility across the entire supplier base, commercial leverage sufficient to create real compliance incentives, and the ability to aggregate demand across a supplier cohort and negotiate pricing that no SME could access alone.
The wagon wheel model names this. The prime sits at the hub. Each SME supplier is a spoke. Stronger spokes strengthen the wheel. Because each SME serves customers beyond the prime, that resilience gain propagates through the wider economy.
Key Findings
The mechanism already exists
The NCSC Cyber Essentials Supply Chain Playbook provides Cyber Advisors at £120 per hour, a funded CE+ support package of 20 hours, a voucher mechanism primes can deploy on behalf of suppliers, and the IASME Supplier Check Tool, which batch assesses certification status across up to 5,000 suppliers in a single query. The infrastructure to start assessing and maturing supply chains is operational and has government backing. The steward model requires no new institutions and no new regulation. What has been absent is the strategic framing that positions the prime as an active orchestrator rather than a passive compliance consumer.
The return on investment case is documented
A major pensions and life company that required Cyber Essentials across its network of 2,800 partners reported an approximately 80 per cent reduction in cyber security incidents as a direct consequence (NCSC Supply Chain Playbook). For a prime orchestrating CE+ across an offshore wind O&M supplier cohort, programme costs are modest against the avoided cost of a single significant supply chain breach. The JLR attack ran at £72 million per day in lost production.
Aggregated procurement changes the affordability picture
An SME engaging with the Cyber Essentials market individually faces £300 to £500 for basic CE and £1,000 to £3,000 or more for CE+, depending on IT complexity. A prime orchestrating the same assessment through a single IASME Certification Body (like Turtledove) achieves volume pricing through scheduling efficiency and standardised preassessment tooling. The saving is sufficient to bring in suppliers who would otherwise decline on cost grounds alone.
Offshore wind faces specific regulatory pressure
The Cyber Security and Resilience Bill, introduced to Parliament in November 2025 and expected to receive Royal Assent in 2026, extends mandatory cyber security obligations to critical energy infrastructure supply chains. NIS2 implementation holds tier one energy operators responsible for the cyber posture of their suppliers. Offshore wind developers that build CE+ programmes across their installation and O&M supply chains before those deadlines are ahead of a foreseeable regulatory requirement.
Where this can work
The white paper does not argue this model applies everywhere. It identifies four substantive objections and addresses each directly: incentive asymmetry between primes and competitors using the same suppliers, data governance tensions around supplier assessment findings, dependency risk if a supplier’s programme is tied too tightly to a single commercial relationship, and a practical scale ceiling of roughly 20 to 200 coherent suppliers in a single sector or geography. The model works best within those bounds, and the paper says so.
Read the White Paper
The Wagon Wheel Model sets out the full economic and practical case, including sector application to offshore wind energy and defence aerospace, concrete recommendations for enterprises, policymakers, and certification bodies, and an analysis of the regulatory trajectory that makes the steward posture commercially rational to adopt now.
If you are at Global Offshore Wind 2026 in Manchester this week, Savva is available to discuss how the model applies to your supply chain.